Cybersecurity takes new approach: GCHQ hires Teenage Apprentices

So, it’s official: Xbox teens are on their way to GCHQ to take on the global hackers. Cyber security is one of the greatest challenges of our time, with cyber warfare and internet criminals posing a serious threat to corporate wealth and national security. Speaking at Bletchley Park, the home of Britain’s Second World War codebreakers, foreign secretary William Hague said: “Today we are not at war, but I see evidence every day of deliberate, organised attacks against intellectual property and government networks in the United Kingdom from cyber criminals or foreign actors with the potential to undermine our security and economic competitiveness”.

“This is one of the great challenges of our time, and we must confront it to ensure that Britain remains a world leader in cyber security and a pre-eminent safe space for e-commerce and intellectual property online.” In regard to all, I agree entirely!

In the words of Dizzee Rascal, it’s time to “Fix Up, Look Sharp!”.

So what is our Government doing to encourage a more cyber resilient homeland?

And perhaps of greater importance, is IT the answer, or the people who use the IT?

Relying on firewalls is no longer a serious option – you need Standards

The fact is, our cyber security can no longer rely on firewalls and IT managers alone; the need for a security policy that is derived from a Standard approach is becoming more obvious to the industry pundits. The problem is, the West, and the UK in particular, is anti-regulation, opposed to red tape and resistant to the change.

The ISO27001 information security standard is sometimes rejected on the basis that it adds complexity and restrictions to the already over-burdened business community. This is, I might add, a complete fallacy; but the impression persists and the money needed to fund ISO27001 is all too easily cut from the budget in cash-strapped enterprises that haven’t yet understood the enormous risks that result from poor ‘cyber-hygiene’ and a lack of basic awareness among their hard-working employees.

How does government square this circle? Answer: William Hague and others in the British Cabinet need to back a drive to achieve accredited ISO27001 certification.

How?

Not by preaching, but teaching. And the best teachers get their students thinking!

Government needs to ask questions of Industry – persistently and authoritatively:

Are our present information systems and the security policies that protect them a soft target because we are not keeping up with changes in global internet culture?

Do we need to think out of the box (as recent GCHQ initiatives strongly suggest) and not rely on the IT department to solve company-wide cyber-security dilemmas?

Whose job is ‘cyber security’? And do your fellow Board members know the answer?

Is the future of cyber security a ‘do what you please’ approach, or would adopting an international standard (as China, India and Brazil are now in the process of doing) be a better way to address the fundamental issues of information security?

“Action this Day” Was Churchill’s way of saying ‘Don’t delay: just do it!”

These are important questions. The commonwealth of business and national security interests is best served by encouraging this subject to be discussed, debated, and (as quickly as possible) ACTIONED! Because time is fast running out.

The director of the National Security Agency (NSA) has called cybercrime “the greatest transfer of wealth in history.” As such, he urged politicians and the American population in general to support cybersecurity legislation being pushed through Congress [Source: ZDNet]. The politicians are waking up to the threat.

“In fact, in my opinion, it’s the greatest transfer of wealth in history,” U.S. Army Gen. Keith B. Alexander said in a statement. “Symantec placed the cost of IP theft to the United States companies in $250 billion a year, global cybercrime at $114 billion annually ($388 billion when you factor in downtime), and McAfee estimates that $1 trillion was spent globally under remediation”. He adds: “And that’s our future disappearing in front of us.” Numbers which suggest that Action on the part of industry and government is not an option. The risk of a serious breach costing more than you can bear (or insure against) is quantifiable – and too high to ignore.

William Hague also said last month that the government is hiring young people, straight from UK schools and not university, with the internet gaming and social media skills that are the antidote to conventional thinking about IT security. Up to 100 apprentices for Britain’s intelligence agencies will emulate the men and women who worked at Bletchley Park, the former code-breaking centre just north of London and once the most secret place in Britain. It’s a case of The Apprentice for rising star Uber-Geeks, but I think that we can learn a lot from them.

Although the global recession is still the biggest news on the internet for obvious reasons, cybercrime and its confederate, cyber terrorism, are fast developing as the most persistent competitors for the top news slot. The fact that we even need to consider combatting determined attackers with the help of 100 18-year olds is on one level an inspiration for future security professionals, but on another, a sign of the growing desperation that is taking over in the Boardrooms of the western world. It’s not so much their skills in modern IT thinking that we need… it’s their Culture!

What can ‘Xbox teens’ at GCHQ teach seasoned IT security professionals?

Games may hold a clue. Specifically, massively multiplayer online role-playing games (MMORPG), which are “immensely popular”, as the Wikipedia article says. China, apparently, is one of the largest markets. What can we learn about the threats posed from online games – and what will the new teenage recruits at GCHQ be able to do to protect us from the mindset of hackers? In my view, more than just technical skills alone. The majority of popular MMORPGs are based on traditional fantasy themes, often occurring in an in-game universe comparable to that of Dungeons & Dragons. Some employ hybrid themes that either merge or substitute fantasy elements with those of science fiction, sword and sorcery, or crime fiction. (In other words, these are highly complex worlds where there is a lot going on: technology futures are emerging, wars and magic are rife, and crimes are being committed … does that sound familiar to you? I’m sure it has a familiar parallel somewhere). Still others draw thematic material from American comic books, the occult and other genres. Often these elements are developed using similar tasks and scenarios involving quests, monsters, and loot. – A day in the business world?

Then there’s the games concept of the ‘epic win’ and the feeling that you get when you are victorious. Consider this comment on Wiki Answers headed “Epic Win FTW”:

“It means you win epically for the win.

The only way it can really make sense is that the person saying it just had a large victory in ‘something’ and are very pleased with the result.

Epic win being a big victory or something that’s incredibly cool.

FTW being “for the win”, which denotes whether something is good or bad (for the win/FTW = good, for the lose/FTL = bad).”

I trust that you all followed that? I think it could possibly help to explain something about gaming, and by close association, the hacker’s burning desire to breach your information security, despite the large sum of money that you already spend in your efforts to stop them. The motivation to download your confidential client data and publish it to the world or even to defraud you of cash sitting on your online bank accounts presents an especially tempting challenge to a certain kind of individual. Your corporate IT setup is a ‘next level’ virtual world that offers opportunity “FTW”.

Your data is the Epic prize: the game is hacking – are you battle ready?

Breaching your security is an exhilarating game that, on the whole, can be played for the same – or even appreciably better – thrills than you can buy by subscribing to an MMORPG; whether the hacker’s motives include illegal financial gain, or not.

It’s a phenomena that is, I conjecture, only possible in the poorly-policed and largely frontier world of cyber space – especially in the era of cloud applications, mobile devices, and the disappearance of the secure perimeter that was your trusty firewall before the Port 80 revolution that has prioritised accessibility over security.

Back in the real business world, persistently attacking a wealthy organisation’s security infrastructure would probably result in severe legal penalties; especially if these attacks led to sizeable thefts, massive reputational damage and a collapse of faith in that entity’s ability to control its assets in the interests of its stakeholders.

But before you dismiss The Epic Win, it could be your best friend in terms of a FTW future. The Government has worked this out too, perhaps with help from wise heads at GCHQ and with the epic wartime inspiration of the Ultra project at Bletchley Park.

Young people can see ways round a problem because they don’t yet know that they can’t solve it. Which points to why the Bletchley Park decoders with Alan Turing’s particularly brand of left field logic were able to do what others (the Nazis included) thought was impossible. Watch Jane McGonigal: Gaming can make a better world.

What would your equivalent of the Epic Win be? How about implementing an ISMS based on the international standard known as ISO27001. How difficult can it be?